Vulnerability Disclosure Policy

We respect and protect the security of all user information. Understanding the importance of identifying potential security threats and patching vulnerabilities, we strive to address security issues to safeguard user privacy and data. However, no system can be completely immune to vulnerabilities. If you discover any vulnerabilities in our products or need to report a security incident, we encourage you to proactively contact us to help further enhance the security of our products and services.

1. Vulnerability Reporting

You can send vulnerability reports to security@switch-bot.com via email, providing detailed descriptions of any vulnerabilities or security incidents you have discovered.

2. Our Handling Process

2.1 Upon receiving a vulnerability report, we will establish a security emergency response team within one working day to promptly review, assess, and verify the reported issues, and if necessary, respond to or communicate with the reporter.

2.2 If a vulnerability is confirmed, our security emergency response team will evaluate the vulnerability level based on common vulnerability scoring systems such as CVSS 3.1 and, within three working days, determine a detailed vulnerability remediation plan according to the vulnerability level, severity, and difficulty of repair.

2.3 We will proceed with vulnerability remediation, verification, and software version updates according to the remediation plan. In principle, critical and high-risk vulnerabilities will be fixed within three working days, high-risk vulnerabilities within 0.5 months, medium-risk vulnerabilities within one month, and low-risk vulnerabilities within four months.

2.4 We will document the vulnerability handling process and continuously monitor it.

3. Our Commitment

3.1 For every security vulnerability issue reported by a reporter, we will handle it promptly and cautiously to protect user interests and enhance product security and reliability.

3.2 We oppose and condemn all hacker behaviors that exploit security vulnerabilities for destructive purposes under the guise of vulnerability testing, including but not limited to unauthorized access to user privacy, theft of user data, and malicious dissemination of vulnerabilities or data.

We will deliver an updated experience for you on a regular basis including updated security patches. The period of software update support is 2 years, see the table below for details.